Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
2
Replies

Configuration for authorization

chaitu_kranthi
Level 1
Level 1

‎08-24-2009 04:43 PM - edited ‎03-10-2019 04:39 PM

Hi,

Here is my ACS setup

1. we two NDG groups under network configuration tab,

one group is for common network devices like routers and switches,

and the other group we have special devices like VPN router & internet routers.

and coming to user details:

2. we have two different types of user groups

one is having fullaccess to both the NDG groups

other group is having readonly access to both NDG groups

Now my problem is i have to provide the read/write access to some of the users

who are in read only access group that to only for special devices NDG group not the common network NDG group.

i mean he has to get full access to one NDG and read only access to other.

Can some one help me in this..

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎08-26-2009 09:50 AM

You need to set up command authorization using "Assign a Shell Command Authorization Set on a per Network Device Group Basis "

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful

koeppend
Level 4
Level 4

‎08-26-2009 06:37 PM

What about setting up a 3rd group called power users (or what ever you want to call it), then allow the 'special' users full access to both devices groups but limit their command access to the read only group. Using command shell auth, as suggested by JG.

You can actually setup some ACS groups where read only users get level 15 access to devices but they can only perform 'show' related commands even thou they have enable access. You have the ability to do a 'deny' against 'conf t' attempts

Also you can user Network Device restrictions if you dont want them to access particular devices at all

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents